110 likes | 233 Views
Program analysis with dynamic change of precision. Philippe Giabbanelli CMPT 894 – Spring 2008. As we said a long time ago in a far, far galaxy…. specify a trade-off before executing the. In the episode I, we saw that we could. Analysis. Here, the precision can be.
E N D
Program analysis with dynamic change of precision. Philippe Giabbanelli CMPT 894 – Spring 2008
As we said a long time ago in a far, far galaxy… specify a trade-off before executing the In the episode I, we saw that we could Analysis. Here, the precision can be dynamically adjusted: not before, during! C_______CMPT 894 – Episode VI _______ The Program Analysis Strikes Back ______________________________ Model checking is accurate but very costly. On the other hand, abstract Interpretation had a reasonable cost but was not very accurate.
Principles Formalism Application Results Model Checking Program Analysis • Accurate analysis but very costly: small programs! • Not too precise (possible false alarms,…) but quite cheap. • The precision can be increased automatically during the execution, but extremely costly! • Has to be specified to the user before starting: the abstraction cannot be changed dynamically. • As you can guess, we want the advantages but not the inconvenient. A reasonable cost and the possibility of automatically increasing the precision during the execution. • We run several analysis simultaneously. When the precision of one analysis becomes two costly (i.e. number of values over a threshold), we decrease its accuracy and increase the accuracy of another one. 2
Principles Formalism Application Results We added a new predicate: refinement of the predicate abstract domain. We removed a variable: abstraction of the explicit abstract domain. We stop tracking explicitely the values of p and we inject p < n in the predicate analysis. However, the number of possible values for the loop counter p can be arbitrarily large. We can afford having an explicit analysis to track the values of st because there is a reasonable number of possible values. 3
Principles Formalism Application Results • Remember the definition of configurable program analysis (CPA)? • Now, let’s add the manipulation of the precision to define CPA+! ∙ An abstract domain, determines the objective of the analysis. ∙ A transfer relation, assigns to each abstract state its successors. ∙ The merge operator, combines two abstract states. ∙ The termination check : if the abstract state given as first parameter is covered by the states of abstract state given as second parameter, then we stop. The way we define covered is where the customization happens. ∙ A set of possible precisions for the abstract domain. We will have pairs (e, π) of states e with precision π. For example, if e is a floating-point variable, π can be the number of digits. ∙ A precision adjustement function, changes the precision from one abstract state to another. 4
Principles Formalism Application Results • As before, the reachability algorithms computes an over-approximation of the set of reachable concrete states. • A set reached contains all the abstract states that have been reached, and a set waitlist the abstract states that have not been processed so far. • How does the precision changes the algorithm from the one in CPA: ∙ Begins by the state e0 with precision π0. ∙ For a given state e, we adjust the precision according to which abstract states we reached. • We have many tools, some being accurate but quite slow, other converging faster but loosing in accuracy… Let’s combine them! ∙ For example, predicate abstraction and shape analysis can be combined. The shape graph can become more accurate by using information from the predicate abstraction. The accuracy of the combination is the degree of sharpness. 5
PrinciplesFormalism Application Results • Remember in CPA: we explained how to combine things. The next step was obviously to say which CPAs we could combine. ∙ Basic BLAST’s. The components are the configurable program analysis for program locations and the configurable program analysis for predicate. Merge/Stop are separated. • So, let see which are the three CPA+ we can combine here! ∙ Explicit Analysis. Merge/Stop are separated. The precision specifies for each variable x a maximum quantity π(x) of values we can store (threshold). If π(x) = 0 we do not store any values hence we do not track the variable. If π(x) = inf, we always track the values. R(x) is the set of values stored for x. If |R(x)| > π(x), we stop keeping track of the variable. ∙ We can add to it a third component: shape analysis. ∙ We can also add to it pointer analysis as a third component (tracks pointer aliases, memory allocations, etc.) ∙ Predicate Analysis. Merge/Stop are separated. The precision of an abstract state is a set of predicates. For a predicate p, if p is in π is tracked by the analysis if this analysis is set to π (in other words the analysis cannot change here). ∙ Location Analysis. Merge/Stop are separated. The precision is the set {L} of locations. 6
PrinciplesFormalism Application Results • We showed an example at the beginning where we abstracted the explicit abstract domain (stopped tracking one variable) and refined the predicates (dealing with a set of values that becomes too big). • This can be defined as the composition of the three CPA+: location analysis L, predicate analysis P and explicit analysis C. • Everything is in the composite precision adjustement function. If the number of values for a variable becomes too big, we stop the explicit analysis and add the predicates. That’s exactly what we said before, thus this definition is quite straight-forward. • Want to analyse heap structures? Compose a CPA+ for shape analysis (costly computations) and a CPA+ for explicit heap analysis (requires lots of space). Again, when the size of the data becomes too big fir explicit heap analysis, we abstract and go for shape analysis. 7
PrinciplesFormalism Application Results • CPA+ has been implemented to extend BLAST (allows reusability of components such as the interface to theorem provers for predicate analysis, interface to the TLVA package for heap analysis, etc). • Experiments have been conducted on the composition of the three CPA+ we presented (location + predicate + explicit), with different values for the maximum number of values stored for a variable (i.e. different values of the threshold that triggers the change of precision). This is the example we had at the beginning. An explicit analysis cannot work because of the arbitrarily large number of possible values. We see from the results that the better idea is to track variables with a small number of values and to handle the loop index with symbolically, as we explained. Now, we bound the loop index by some number. So, we can do an explicit analysis. However, as there are still many possible values for the index, a symbolic analysis shows to be faster. 8
PrinciplesFormalism Application Results • Those programs are subroutines for the handshake protocol of SSH. • In pure predicate analysis, the predicates are missused to track just one single explicit value, which is the job in which a purely explicit analysis performs better. • A purely explicit analysis creates false alarms in all cases. 9
This Presentation was Based on… Program Analysis with Dynamic Change of Precision (Beyer, Henzinger and Théoduloz). I won’t give any date because there are not any yet …but according to our conjectures, we predict that it will not be before 2008… T H A N K Y O U